Slow Login when Offline/Off Network

Guest

Our school has roughly 300 MacBooks assigned out to students. Each MacBook is bound to our Xserve through Open Directory and also to our Active Directory Server. All log-in/ account info comes through active directory. The first time students log in, it asks them to set up a mobile account and we have them click create. We have been getting complaints from students that when they are off our schools network, logging in takes about 5 minutes. In what we have seen, the student types their log-in info and click log in, the login windows grays out and sits there for a few and finally logs in. Now, when they are on our network, they get logging in immediately. It seems to me when ever a student logs-in, it is searching for either Active Directory or Open Directory and preventing the user from logging in immediately. What setting am I missing that will prevent this from happening?
Thanks!

macrumors newbie

Are you're AD/OD servers, and the appropriate ports accessible from the outside? If not, then the Macbooks are attempting to BIND to IP addresses/DNS names that they cannot find when not connected to your network. So they will search, timeout and login.

You have to translate outside IP's, ports and DNS names for your AD/OD servers via NAT or DMZ (whatever your setup may be).

You might be able to setup a 2nd automatic location for the machines and have the students switch when they are outside the network. I think that the mobile accounts will still allow login, without attempting to sync to the server. Although, I haven't tried that scenario.

thread starterGuest

Our servers are only accessible on our local network and so no, the MacBooks are unable to connect to the server and are timing out. The only problem is timeout is taking forever. Some students have reported it taking up to 10 minutes to log in. I took one of the MacBooks home and it took about 4 minutes to log in. Is there a way to reduce the timeout time? When the students logged in the first time, they were on our network and were asked to create a mobile account. We clicked "create mobile account" and one was created. My best guess is the timeout time is set way to high. If there is a way to reduce it please let me know and I will give it a try. Thanks!

macrumors newbie

- Are you manually adding the DNS, search domains and LDAP to the Macbooks? If so, they would be the first things to disable. If the DHCP server correctly identifies the proper servers for the DNS zone, then this will populate automatically inside, and not populate when the students are outside of the firewall. I am not a fan of DHCP for LDAP. So definitely try this with a couple of units first.

Unfortunately, there will be a delay regardless, because the machine is attempting to authenticate back to the AD server, and perform a sync at login. But if you set a very minimal set of login sync items, that would reduce the number of items that the Macbooks are attempting to sync.

I don't think that you'll eliminate the delay. But addressing the above items might help reduce it to an acceptable time. Then again, if you sync the mobile accounts in intervals and instruct students not to logoff, just close the lid, that would also help as well. Even though it's not not the ideal solution.

thread starterGuest

We did the upgrade on a few more systems today and told those students to shut down before they leave the school and then start it up when they get home and let us know how the log in went. Hopefully everything will be okay and then all we have to do is deploy 10.5.5 to all the systems and all will be well!

macrumors P6

We did the upgrade on a few more systems today and told those students to shut down before they leave the school and then start it up when they get home and let us know how the log in went. Hopefully everything will be okay and then all we have to do is deploy 10.5.5 to all the systems and all will be well!

Click to expand...

sounds good! just curious, but how do you deploy the update to the systems? do you use remote desktop?

macrumors newbie

Problems solved with 10.5.5.
I upgraded a system yesterday and took it home and it seems to be logging in just fine now! Thats all we needed!

Click to expand...

I am still having the problem, even after upgrading to 10.5.5. My Macbook Pro is a guinea pig machine, where it is the only machine bound to AD to test the cached credentials and group policy capabilities of Leopard. It was upgraded to 10.5.5, then bound to AD in the Directory Utility. Options set to create a mobile account at login.
The MBP has no problems logging in right away when directly connected to the network, but when outside the network, it takes anywhere from 3-5 minutes to finally finish logging in after entering the username & password at the login window screen. I haven't been able to find much about this problem on other sites. Anybody have any other ideas?

Our AD domain is a ".local" domain; do you think that would make a difference? Wish there were some way to set the timeout period to a low number.

macrumors P6

I am still having the problem, even after upgrading to 10.5.5. My Macbook Pro is a guinea pig machine, where it is the only machine bound to AD to test the cached credentials and group policy capabilities of Leopard. It was upgraded to 10.5.5, then bound to AD in the Directory Utility. Options set to create a mobile account at login.
The MBP has no problems logging in right away when directly connected to the network, but when outside the network, it takes anywhere from 3-5 minutes to finally finish logging in after entering the username & password at the login window screen. I haven't been able to find much about this problem on other sites. Anybody have any other ideas?

Our AD domain is a ".local" domain; do you think that would make a difference? Wish there were some way to set the timeout period to a low number.

Click to expand...

have you upgraded the server to 10.5.5? and do you have dns setup correctly?

macrumors newbie

have you upgraded the server to 10.5.5? and do you have dns setup correctly?

Click to expand...

This MBP is authenticating against AD in a Windows Server 2003 environment, not OD on a Mac OS X Server, so the Windows server can't be upgraded to 10.5.5 since it's not a Mac.

DNS is set up correctly; we don't have any problems with Windows XP users signing in when they are not connected to the network. We also have tested Centrify DirectControl on Tiger & Leopard MBPs, and that works just fine without any delays in logging in using an AD mobile account when they are not connected directly to our internal network.

We are attempting to test the built-in AD functionality of 10.5.5 on the client side, to see if we could avoid using Centrify DC, but so far, we are having this login delay problem.

I've noticed that it seems to sign on with no delay when it has not made a connection to a network, but the delay occurs when it has made a connection, such as a wireless router in a hotel or at a user's home.

MacRumors attracts a broad audience
of both consumers and professionals interested in
the latest technologies and products. We also boast an active community focused on
purchasing decisions and technical aspects of the iPhone, iPod, iPad, and Mac platforms.